[These notes come from Bob Cottrell at pe.net. Thanks Bob! Bob is running Solaris 9 on Suns, but this should apply to other Posix installs including Linux or BSD with only relatively minor differences. Note that you can and probably should add your other RBLs and serve them up locally too. Additional notes at end.]
[Additional editor's note: the individual surbl zones in the original examples are obsolete and have been replaced with multi.surbl.org which is the only zone that should be useds since it includes all the other zones.]
How to setup a local RBL mirror
Download, compile and install the latest rbldnsd and rsync
Create a directory where you will store the zone files:
$ mkdir /usr/local/etc/rbldnsd
In this directory I also created 2 scripts:
rbldnsd.cron:
#!/bin/sh /usr/local/bin/rsync -tq some_rsync_server::surbl/multi.surbl.org.rbldnsd /usr/local/etc/rbldnsd/ /usr/local/bin/rsync -tq other_rsync_server::dsbl/rbldns-list.dsbl.org /usr/local/etc/rbldnsd/rbldns-list.dsbl.org
(Note: there is a dot between "rbldnsd" and ">" to denote the current directory, and you'll replace some_rsync_server with the actual rsync server name provided when you are granted access.)
[Editor: Also note that multi.surbl.org.rbldnsd is the only zone that should be used.]
I have this cron'd to execute every 30 minutes:
10,40 * * * * /usr/local/etc/rbldnsd/rbldnsd.cron
and
S87rbldnsd: (to be linked into /etc/rc2.d)
#!/bin/sh
#
# /etc/rc2.d/S87rbldnsd
PATH=$PATH:/usr/bin:/usr/local/sbin
case "$1" in
'start')
if [ -x /usr/local/sbin/rbldnsd ]
then
/usr/local/sbin/rbldnsd -u named -b 10.11.12.13/53
-w /usr/local/etc/rbldnsd
multi.surbl.org:dnset:multi.surbl.org.rbldnsd
list.dsbl.org:ip4set:rbldns-list.dsbl.org
fi
;;
'stop')
/usr/bin/pkill rbldnsd
;;
*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
exit 0
Then fill out our rsync request form to request access to the SURBL zone files. Please let us know the IP address you will be rsyncing from and the approximate number of incoming messages processed per day.
Once access has been granted, start up the cron job, and make sure that the files were transferred.
It should look something like this:
$ cd /usr/local/etc/rbldnsd
$ ls -l
total 1000 -rwxr-xr-x 1 named other 499 May 3 16:43 S87rbldnsd* -rwxr-xr-x 1 named other 132 May 3 16:03 rbldnsd.cron* -rw-r--r-- 1 named other 178488 May 3 18:10 multi.surbl.org.rbldnsd
Now go ahead and startup the rbldnsd daemon:
# cd /etc/rc2.d
# ln -s /usr/local/etc/rbldnsd/S87rbldnsd
# ./S87rbldnsd start
rbldnsd: listening on 10.11.12.13/53 rbldnsd: dnset:multi.surbl.org.rbldnsd: 20040504 010002: e/w=10952/0 rbldnsd: zones reloaded, time 0.10e/0.8u sec rbldnsd: rbldnsd version 0.992 (7 Mar 2004) started (1 socket(s), 2 zone(s))
Now it's time to tell named to look at your server for the answers for multi.surbl.org
Add the following lines to your named.conf file:
zone "multi.surbl.org" IN {
type forward;
forward first;
forwarders {
10.11.12.13;
};
};
And restart named. __
Editor's Notes:
-
Another port forwarding style is to use 127.0.0.1 as the address and a higher port number like 750, as in:
rbldnsd: multi.surbl -r/var/named/surbl -t21600 -c60 -b127.0.0.1/750 multi.surbl.org:dnset:multi.surbl.org.rbldnsd bind(9): zone "multi.surbl.org" IN { type forward; forward first; forwarders { 127.0.0.1 port 750; }; };Either style works fine, though an alternate address and port 53 is arguably less likely to conflict with other services. - If you have the luxury of running a dedicated rbldnsd server or can run it on a separately reachable IP address, you won't need port forwarding. Just set it up to run on port 53 and you're set!
- It's no longer necessary to manually reload rbldnsd since by default it will automatically check for and load any changed zone files every 60 seconds. This can be adjusted with the -c command line argument.
- You can and probably should request rsync access for other RBL zone files you use, and configure rbldnsd to serve them locally also. Doing so will improve your mail performance and reduce DNS traffic to the public name servers.
- rbldnsd is much more memory efficient than BIND, even as it keeps the zones fully in memory, and is significancy faster than BIND. (Some reports mention 3x speed and 10x memory improvements.) So it's definitely worth using rbldnsd for your RBL zones, especially if you use some of the larger ones.
- Installing rbldnsd from the ports collection under FreeBSD creates a startup file automatically. After configuring the zones and port forwarding, and testing that it's serving up the rsynced zones correctly, remember to add rbldnsd_enable="YES" to /etc/rc.conf to make rbldnsd to start at boot time. Other operating systems and tools will have their own methods for doing this.
- See also NJABL's tips for running rbldnsd and rsync (local copy).
SURBL Data Feed Request
SURBL Data Feeds offer higher performance for professional users through faster updates and resulting fresher data. Freshness matters since the threat behavior is often highly dynamic, so Data Feed users can expect higher detection rates and lower false negatives.
The main data set is available in different formats:
Rsync and DNS are typically used for mail filtering and RPZ for web filtering. High-volume systems and non-filter uses such as security research should use rsync.
For more information, please contact your SURBL reseller or see the references in Links.
Sign up for SURBL Data Feed Access.
Sign up for data feed access
Direct data feed access offers better filtering performance with fresher data than is available on the public mirrors. Sign up for SURBL Data Feed Access.
Applications supporting SURBL
Learn about SURBL lists